Re: HELP - File Auditing

From: Cameron Frasnelly (networkmanage@premierwestbank.com)
Date: 02/28/03 

From: "Cameron Frasnelly" <networkmanage@premierwestbank.com>
Date: Fri, 28 Feb 2003 14:10:24 -0800

We have performed all of the below on many servers with no results... I am
an MCSE and I have had several other seasoned technicians look at this...
Any more ideas would be appreciated!

"Todd Beebe" <todd@turillion.com> wrote in message
news:05f501c2df75$2a773ba0$2f01280a@phx.gbl...

Enabling either success or failure event auditing does
not automatically trigger any new "object access" audit
events to be logged. Auditing must be enabled on
individual objects for audit events to be logged.

To enable auditing on a file/directory do the following:

1. Start Explorer
2. Right click on the file/directory you want to audit,
and from the context menu select properties
3. Select the Security tab and click Auditing
4. If you have selected a directory, check the "replace
auditing on subdirectories"
5. Click the Add button and add the user(s) who you wish
to audit by selecting and clicking Add. When finished
adding users, click OK
6. Select the events you wish to audit and then click OK

Once you enable auditing on specific objects (files,
directories, registry keys) you should begin to see audit
events logged to the Eventlog.

Regards,

Todd Beebe, CISSP

>-----Original Message-----
>We have "Audit Object Access" set to effective success
and failure on all of
>our servers. All servers are (and have been) part of
our domain. The
>servers have had these settings for many days now. We
still are unable to
>get file auditing to log anything at all... any help
would be appreciated...
>we received the below from MS support.... GPEDIT.msc
shows the proper
>effective settings and it has been many days now...
>
>Thanks for your time.
>++++++++++++++++++++++++++++++++++
>Hi Cameron,
>
>Did that server join a domain? If you open the
GPEDIT.msc in that server,
>what the effective setting is for the following:
>Local Computer Policy\Computer Configuration\Windows
Settings\Security
>Settings\Local Policies\Audit Policy\Audit object access
>
>At the same time, because the changes that you make to
your computer's
>audit policy setting take effect only when the policy
setting is propagated
>(or applied) to your computer, complete one of the
following steps to
>initiate policy propagation:
>
>1. Type "secedit /refreshpolicy machine_policy"
(without the quotation
>marks) at the command prompt, press ENTER, and then
restart the computer.
>
>2. Wait for automatic policy propagation, which occurs
at regular
>intervals that you can configure. By default, policy
propagation occurs
>every eight hours.
>
>Regards,
>
>Jeff Qiu
>jefffqiu@online.microsoft.com
>Online Support Professional
>Microsoft Corporation
>
>This posting is provided Ħ°AS ISĦħ with no warranties,
and confers no
>rights.
>
>--------------------
>>Reply-To: "Cameron Frasnelly"
<networkmanage@premierwestbank.com>
>>From: "Cameron Frasnelly"
<networkmanage@premierwestbank.com>
>>Subject: Auditing File Deletion NOT WORKING
>>Date: Wed, 26 Feb 2003 13:57:43 -0800
>>microsoft.public.win2000.security
>>
>>Hi there,
>>
>>We have object access success / failure turned on at
the group policy level
>>and on a specific server. We then turn auding for file
deletion on for
>>Everyone on a specific folder and apply to files and
folders beneath it.
>>Before deleting a file (just for testing) we check to
make sure auditing is
>>applied to it... it is. We then delete the file and
receive no event in
>any
>>log for its deletion. We were expecting an event
564... but none.
>>
>>win2k server with sp3 and all the latest patches
>>
>>Any ideas would be greatly appreciated.
>>
>>Cameron
>>
>>
>>
>
>
>.
>